Experts warn government is serious about enforcement

SAN FRANCISCO – Eighty percent of respondents to a March 2011 Healthcare IT News survey of hospital and health system IT professionals showed that achieving meaningful use was top of mind – above privacy and security concerns.

Only 38 percent of those who completed the survey indicated they are in the process of enterprise-wide adoption of secure EHRs.

The survey results confirm what Oracle and Deloitte, who commissioned the survey, are seeing in the marketplace, attendees were told at a healthcare session at Oracle OpenWorld Conference last month.
While meaningful use is very important, privacy and security are down on the priority list, partly as a result of limited resources and competing requirements, said Russell Jones, partner at Deloitte & Touche LLP, in the session Secure EHRs: Achieving ‘Meaningful Use’ Compliance and Preventing Data Theft and Fraud.

With the Department of Health and Human Services "serious about enforcement" – HHS has engaged a Big 4 auditor to conduct up to 150 HIPAA security and privacy audits between now and the end of 2012 – Jones says hospitals and health systems need to deploy a set of controls that are robust and at the same time flexible and don’t impede physician workflow.

Jones recommended healthcare organizations take a framework approach to securing EHRs. Kaiser, Baylor Health Care System and a number of other healthcare organizations came together in a collaboration with HITRUST and developed a common security framework, or CSF, for the healthcare industry a couple of years ago. Hospitals and health systems need to protect electronic personal health information (PHI) and PHI outside the EHR, said Jones. Finding a solution that can be implemented and tested once that can satisfy many requirements is ideal, he said.

“Meaningful use should not be a siloed approach,” said Jones. Security should be a line item in the meaningful use initiative. “Being compliant doesn’t mean you’re secure,” he added. “You’re going to need technology solutions that are data centric.”

Reid Oakes, senior director of healthcare technology for Oracle, noted that technology solutions should look across the entire enterprise within the integrated framework approach. Once hospitals and health systems determine what they are trying to secure and where it is, they need to build, from the top down, a data map that encompasses business and clinical processes, and then deploy the technology.

Oakes took a deep dive into the various types of solutions for protecting data, including database security, identity management and information rights management to the data. An information rights management solution, for example, should be able to provide document-level access control, as well as provide control on the policy level to be able to de-identify the data, he said.

“You have to secure data in the right places and dynamically manage access,” Oakes said. “You have to look at security as a constant iterative process.”

Further confirming the findings of the Healthcare IT News survey is a recent report from PwC's Health Research Institute.

Among its findings:

• More than half (55 percent) of health organizations surveyed have not addressed privacy and security issues associated with the use of mobile devices, and less than one-quarter have addressed privacy and security implications of social media.

• More than half (54 percent) of health organizations surveyed reported at least one issue with information privacy and security over the past two years.

"Although paper-based health information breaches must now be disclosed under the breach notification provision under the HITECH Act, electronic data breaches occur three times more frequently and affect 25 times more people when they occur," said James Koenig, director and co-leader, Health Information Privacy and Security Practice, PwC.